Secure control device, contactor comprising such a device and method for secure processing of a control signal

ABSTRACT

A safety control device intended to process a control signal and generate a safety control order. The device has:a control input,a protection circuit,a coupler having an emitter circuit designed to emit a second signal and a receiver circuit for providing a third signal,a switch,a pulse generator designed to cyclically control opening and closure of the switch, anda processing circuit designed to execute a method for safely processing the third signal.Also disclosed are a contactor having such a control device and to a method for safely processing a control signal.

TECHNICAL FIELD

The present invention relates to a safety control device intended inparticular to control a contactor. The invention also relates to amethod for safely processing a control signal for closing or opening acontactor and to a contactor having a safety control device.

PRIOR ART

Many devices have one or more contactors for controlling the powering onor powering off of electrical units, such as production machines,motors, welding devices, etc. Some devices whose operation is hazardousrequire increased safety in order to control them, and in particularhave to have an emergency stop means in order to interrupt operation inthe event of danger. In order to bolster the safety of goods and people,a command to start operation of an electric motor may be subject tovalidation in order to avoid any unwanted command caused for example byelectromagnetic interference. In this case, when a command is invalid,the device has to be put into a safe state, generally corresponding tothe device being stopped.

Document EP 1 538 651 A2 is known and relates to an emergency stopcircuit having two lines operating in parallel, each line havingcontacts, the actuation of which is controlled by central units. Thesupply of power for the commands for the contacts is disconnected whenan emergency stop is requested.

Patent application US 2004/0199 837 A describes a method and a devicefor the safe transmission of information between input and output unitsof a safety system.

Patent application US 2011/0169345 A1 describes a control system thatprevents starting of a load when the command for or the supply of powerto the load exhibits an anomaly.

DESCRIPTION OF THE INVENTION

The present invention relates to a safety control device intended toprocess a control signal and generate a first safety control order, saidsafety control device comprising:

-   -   a control input having at least a first connection point and a        second connection point, said control input being designed to        receive the control signal,    -   a first protection circuit,    -   a first coupler having:        -   a first emitter circuit connected in series with the first            protection circuit, the assembly formed by the first emitter            circuit and the first protection circuit being connected            between the first connection point and the second connection            point, said first emitter circuit being designed to emit a            second signal when the control signal is present on the            control input, and        -   a first receiver circuit designed to receive the second            signal and to provide a third signal formed of at least one            pulse,    -   a first switch connected in parallel across the first emitter        circuit,    -   a pulse generator connected to the first switch and designed to        cyclically control opening and closure of the first switch, and    -   a first processing circuit connected to the first receiver        circuit in order to receive the third signal, said first        processing circuit being designed to process the third signal        and provide the first safety control order, said first safety        control order being able to adopt at least two states:    -   a first start safety control order, or    -   a first stop safety control order.

Advantageously, the first emitter circuit and the first receiver circuitare galvanically isolated from one another.

Advantageously, the first coupler has at least one optocoupler, thefirst emitter circuit having an emitting diode and the first receivercircuit having a phototransistor, the emitting diode emitting radiationthat forms a medium for transmitting the second signal to thephototransistor through an electrically insulating wall transparent tothe radiation.

Advantageously, the pulse generator generates pulses having a predefinedduty cycle less than or equal to 50%.

Preferably, the pulse generator generates pulses at a frequency ofbetween 100 Hz and 10 kHz.

Advantageously, the first protection circuit has a current-limitingcircuit for limiting the current flowing through said protectioncircuit.

Advantageously, the first protection circuit has a current thresholddetection circuit connected to the current-limiting circuit in order tolimit the current flowing through said protection circuit to apredefined maximum intensity when the amplitude of the control signal isgreater than a predefined maximum voltage threshold.

In one particular embodiment, a voltage threshold detection circuit isconnected in series with the first protection circuit and the firstemitter circuit in order to limit the current flowing through saidemitter circuit to a predefined minimum intensity when the amplitude ofthe control signal is less than a predefined minimum voltage threshold.

In one particular embodiment, the first switch is connected in serieswith the first protection circuit and the first emitter circuit.

According to one variant, the safety control device furthermore has:

-   -   a validation input having a third connection point, said        validation input being designed to receive a validation signal,    -   a second protection circuit,    -   a second coupler having:        -   a second emitter circuit connected in series with the second            protection circuit, the assembly formed by the second            emitter circuit and the second protection circuit being            connected between the third connection point and the second            connection point of the safety control device, said second            emitter circuit being designed to emit a fourth signal when            the validation signal is present on the validation input,            and        -   a second receiver circuit designed to receive the fourth            signal and to provide a fifth signal,    -   a second switch connected firstly in parallel across the second        emitter circuit and connected secondly to the pulse generator so        that said pulse generator cyclically controls opening and        closure of said second switch,    -   a second processing circuit connected to the second receiver        circuit in order to receive the fifth signal, said second        processing circuit being designed to process the fifth signal        and provide a second safety control order, said second safety        control order being able to adopt at least two states:        -   a second start safety control order and        -   a second stop safety control order    -   a logic circuit having:        -   a first binary input connected to the first processing            circuit in order to receive the first safety control order,        -   a second binary input connected to the second processing            circuit in order to receive the second safety control order,            and        -   a second binary output for providing a third safety control            order.

Advantageously, the third safety control order adopts at least twostates:

-   -   a third start safety control order when a first safety control        order provided by the safety control device is a first start        safety control order and when the second safety control order is        a second start safety control order, or    -   a third stop safety control order when a first safety control        order provided by the safety control device is a first stop        safety control order or when the second safety control order is        a second stop safety control order.

The present invention also relates to a contactor having:

-   -   at least one electrical contact connected to an upstream current        line and a downstream current line, said electrical contact        being designed to allow the flow of an electric current between        the upstream current line and the downstream current line to be        permitted or blocked,    -   an actuator designed to actuate the at least one electrical        contact,    -   a safety control device, as described above, connected to the        actuator in order to provide a first safety control order to        said actuator in order to control the actuation of the at least        one electrical contact,    -   a first connection terminal connected to a first connection        point of said safety control device, and    -   a second connection terminal connected to a second connection        point of said safety control device,

said contactor being such that the safety control device controls theactuator:

-   -   so as to execute closure of the at least one electrical contact        when the first safety control order is a first start safety        control order, or    -   so as to execute opening of the at least one electrical contact        when the first safety control order is a first stop safety        control order.

Advantageously, the contactor furthermore has a third connectionterminal connected to a third connection point of the safety controldevice. The safety control device is connected to the actuator via asecond binary output in order to provide a third safety control order tothe actuator, said third safety control order being able to adopt atleast two states:

-   -   a third start safety control order, or    -   a third stop safety control order.

The safety control device, by providing a third safety control order tothe actuator, controls said actuator:

-   -   so as to execute closure of the at least one electrical contact        when the third safety control order is a third start safety        control order, or    -   so as to execute opening of the at least one electrical contact        when the third safety control order is a third stop safety        control order.

The present invention also relates to a method for safely processing athird signal formed of at least one pulse provided by at least a firstreceiver circuit of a safety control device as described above, saidmethod comprising iteratively counting a number of pulses provided bythe first receiver circuit during a time interval of a predefinedduration.

Advantageously, a first counter is incremented when the number of pulsescounted during a time interval is between a predefined minimum number ofpulses and a predefined maximum number of pulses.

Preferably, a first start safety control order is generated when thefirst counter is equal to or greater than a predefined validationthreshold.

Preferably, a second counter is incremented when the number of pulsescounted during the time interval is not between the minimum number ofpulses and the maximum number of pulses.

Preferably, a first stop safety control order is generated when thesecond counter is equal to or greater than a predefined invalidationthreshold.

BRIEF DESCRIPTION OF THE DRAWINGS

Other advantages and features will become more clearly apparent from thefollowing description and from particular embodiments of the invention,given by way of non-limiting example and shown in the appended drawings,in which:

FIG. 1 shows, in the form of a block diagram, a safety control deviceaccording to the invention,

FIGS. 2a and 2b show variant embodiments of a protection circuit formingpart of the safety control device, and FIG. 2c shows a combination of avoltage threshold detection circuit and a first coupler circuit,

FIG. 2d shows a variation curve of a current flowing in the protectioncircuit, and FIG. 2e shows a variation curve of a current flowing in afirst emitter circuit,

FIG. 3 shows, in the form of a block diagram, a connection variant for afirst switch in a safety control device,

FIG. 4 shows, in the form of a block diagram, a safety control devicehaving a validation input,

FIG. 5a shows, in the form of a block diagram, a contactor having asafety control device, and FIG. 5b shows a contactor having a safetycontrol device having a validation input,

FIGS. 6a to 6d are timing diagrams of a signal received by a processingcircuit forming part of a safety control device,

FIG. 7a shows a flowchart of a method for safely processing a signalperformed by the processing circuit, and

FIG. 7b shows a flowchart of a preferred variant of the safetyprocessing method performed by the processing circuit.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

FIG. 1 shows, in the form of a block diagram, a safety control device 1intended to process a control signal Sig1 and generate a first safetycontrol order. Said safety control device 1 comprises at least:

-   -   a control input E,    -   a first protection circuit 10,    -   a first coupler 20,    -   a first switch 30,    -   a pulse generator 40,    -   a first processing circuit 50, and    -   a first binary output S1.

The control input E has at least a first connection point E1 and asecond connection point E2. The control signal Sig1 is applied betweenthe first point E1 and the second point E2. The control signal Sig1 ispreferably a continuous voltage level or stage with an amplitude Vsig1of between 1 volt and 30 volts, preferably with a duration of between 5ms and 100 ms.

The first protection circuit 10 is designed to clip the control signalSig1 if it has an abnormally high amplitude Vsig1 and/or to limit acurrent i flowing in the safety control device 1, when a control signalSig1 is applied. A first embodiment of the first protection circuit 10is shown in FIG. 2a and has a current limiter 11 consisting for exampleof at least one resistor R. The resistor R is preferably dimensioned soas to limit the current i to a predefined maximum intensity IMax ofbetween 1 mA and 100 mA.

As a variant, the first protection circuit 10 has a current limiter 11connected to a current threshold detection circuit 12, as shown in FIG.2b . FIG. 2d shows a variation curve of the current i flowing in thefirst protection circuit 10 as a function of the amplitude Vsig1 of thecontrol signal Sig1. When the intensity of the current i is less thanthe maximum current intensity IMax, the current threshold detectioncircuit 12 does not act, and the current i is set by the ratio betweenthe amplitude Vsig1 of the control signal Sig1 and the value of theresistance R in accordance with Ohm's law. For example, for an amplitudeVsig1 of the control signal Sig1 equal to 24 volts and for a resistanceR equal to 2000 ohms, the amplitude of the current i will be equal to 12mA. When the amplitude Vsig1 of the control signal Sig1 exceeds apredefined maximum voltage threshold Umax, the current thresholddetection circuit 12 acts on the current limiter 11 so as to increasethe value of the resistance R in order to keep the intensity of thecurrent i at the predefined maximum current intensity IMax. Thus, withthe current i being constant, the power dissipated and therefore theheating in the current limiter 11 vary only in accordance with a linearlaw as a function of the amplitude Vsig1 of the control signal Sig1.

Optionally, a voltage threshold detection circuit 13 is connected inseries with the first protection circuit 10 and with the first coupler20, as shown in FIG. 2c . In this configuration, the voltage thresholddetection circuit 13 detects a predefined minimum voltage thresholdUmin. For as long as the amplitude Vsig1 of the control signal Sig1 isless than said minimum voltage threshold Umin, the voltage thresholddetection circuit 13 limits the current i flowing in a first emittercircuit 21 of the first coupler 20 to a predefined minimum intensityImin. When the amplitude Vsig1 of the control signal Sig1 is greaterthan the minimum voltage threshold Umin, the voltage threshold detectioncircuit 13 is inactive, and the current i is limited only by the currentlimiter 11. A curve representative of the variation in the current iflowing in the first protection circuit 10 as a function of theamplitude Vsig1 of the control signal Sig1 in such an operating mode isshown in FIG. 2e . Such a voltage threshold detection circuit 13 is usedso that the first coupler 20 receives the control signal Sig1 only ifsaid control signal Sig1 has an amplitude greater than the minimumvoltage Umin, in order for example to eliminate stray signals. Thethreshold detection circuit 13 may consist of at least one Zener diode.

Optionally, for example in order to comply with the recommendations inthe IEC60947-1 Standard, Appendix S, which deals with digital inputs forlow-voltage appliances, a bypass resistor Rd is connected in parallelacross the threshold detection circuit 13 and the first coupler 20, asshown in FIG. 2c , so that a current i is always present even when thefirst switch 30 is open and when the amplitude Vsig1 of the controlsignal Sig1 is less than the minimum voltage Umin. The bypass resistorRd may also be connected in parallel across the first switch 30.

In one preferred embodiment, the current limiter 11 limits the amplitudeof the current i to a predefined maximum current intensity IMax ofbetween 8 mA and 20 mA, the predefined minimum intensity of the currentImin is between 0 and 8 mA, the predefined maximum voltage thresholdUMax is between 12 volts and 30 volts, and the predefined minimumvoltage threshold Umin is between 0 and 12 volts.

The first coupler 20 has the first emitter circuit 21 connected inseries with the first protection circuit 10, the assembly formed by thefirst emitter circuit 21 and the first protection circuit 10 beingconnected between the first connection point E1 and the secondconnection point E2, as shown in FIG. 1. The first emitter circuit 21 isdesigned to emit a second signal Sig2 when the control signal Sig1 ispresent on the control input E and when the current i is flowing in saidfirst emitter circuit 21. The first coupler 20 also has a first receivercircuit 22 designed to receive the second signal Sig2 and to provide athird signal Sig3. Said third signal Sig3 is formed of at least onepulse, as will be described later on. The first emitter circuit 21 andthe first receiver circuit 22 of said first coupler 20 are galvanicallyisolated from one another.

Preferably, the first coupler 20 has at least one optocoupler: the firstemitter circuit 21 has an emitting diode D, the first receiver circuit22 has a phototransistor Tr, the emitting diode D emitting radiation tothe phototransistor Tr through a wall Sc transparent to the radiation,said wall being arranged between the emitting diode D and thephototransistor Tr, said radiation forming a medium for transmitting thesecond signal Sig2. The phototransistor Tr provides the third signalSig3 in the same way as the second signal Sig2. The wall Sc also has anelectrically insulating property, that is to say that it does notconduct electric current, so as to provide galvanic isolation betweenthe first emitter circuit 21 and the first receiver circuit 22.

The first switch 30 is connected in parallel across the first emittercircuit 21 in order to short-circuit the first emitter circuit 21 whensaid first switch 30 is closed. The first emitter circuit 21 is thusable to emit only when the first switch 30 is in an open state. Thefirst switch 30 is preferably a bipolar transistor or field-effecttransistor. This configuration has the advantage of guaranteeing aconstant flow of a current i as soon as a control signal Sig1 is presenton the control input E, regardless of the open or closed state of thefirst switch 30. The first switch 30 is controlled by the pulsegenerator 40.

The pulse generator 40 is connected to the first switch 30 and generatespulses in order to cyclically control opening and closure of the firstswitch 30. Preferably, a pulse controls closure of the first switch 30,the first switch 30 being open during the time interval between twoconsecutive pulses. The control signal Sig1 is therefore modulated bythe pulses delivered by the pulse generator 40.

The pulse generator 40 generates pulses preferably having a rectangularform, having a predefined duty cycle less than or equal to 50% at afrequency preferably of between 100 Hz and 10 kHz. The pulse generator40 is preferably a free oscillator that is not synchronized with anyother signal present in the safety control device 1.

In the presence of a control signal Sig1, the emitting diode D of thefirst emitter circuit 21 emits radiation to the phototransistor Tr ofthe first receiver circuit 22 when the first switch 30 is open. Saidphototransistor Tr then provides a pulse forming the third signal Sig3,as shown in FIG. 6a . When the first switch 30 is closed, the firstemitter circuit 21 no longer emits radiation to the phototransistor Tr,and the third signal Sig3 becomes zero. The third signal Sig3 thuscontains at least one pulse P when the control signal Sig1 is presentand when the pulse generator 40 is generating pulses.

The first processing circuit 50 is connected to the first receivercircuit 22 in order to receive the third signal Sig3. Said firstprocessing circuit 50 is designed to execute a safety processing method500 described later on in order to process the third signal Sig3 andprovide a first safety control order Sig4. Said first safety controlorder Sig4 may adopt at least two states:

-   -   a first start safety control order Sig4_ON, or    -   a first stop safety control order Sig4_OFF.

The first start safety control order Sig4_ON corresponds to a startsafety command, and the first stop safety control order Sig4_OFFcorresponds to a stop safety command, which is particularly suitable fora safe emergency stop order.

According to one connection variant for the first switch 30, said firstswitch 30 is connected in series with the first protection circuit 10and the first emitter circuit 21, as shown in FIG. 3. In this case, thethird signal Sig3 is formed of pulses P when the control signal Sig1 ispresent on the input E and when the first switch 30 is closed. Theprocessing performed by the first processing circuit 50 on the thirdsignal Sig3 is unchanged.

It is often necessary to implement a double safety command in a safetyinstallation. Such a double command contains a first safety commandwhose role is to control starting and a second safety command whose roleis to validate or authorize, and the absence of which generallycorresponds to an emergency stop command. In order to meet this need,the invention also relates to a safety control device 1, shown in FIG.4, having a safety control device 1 as described above, and furthermorehaving:

-   -   a validation input V having a third connection point E3, said        validation input V being designed to receive a validation signal        Sig10 applied between the second connection point E2 and said        third connection point E3,    -   a second protection circuit 110,    -   a second coupler 120 having:        -   a second emitter circuit 121 connected in series with the            second protection circuit 110, the assembly formed by the            second emitter circuit 121 and the second protection circuit            110 being connected between the third connection point E3            and the second connection point E2, said second emitter            circuit 121 being designed to emit a fourth signal Sig20            when the validation signal Sig10 is present on the            validation input V, and        -   a second receiver circuit 122 designed to receive the fourth            signal Sig20 and to provide a fifth signal Sig30,    -   a second switch 130 connected firstly in parallel across the        second emitter circuit 121 in order to short-circuit said second        emitter 121 when it is closed, and connected secondly to the        pulse generator 40 so that said pulse generator 40 cyclically        controls opening and closure of said second switch 130,    -   a second processing circuit 150 connected to the second receiver        circuit 122 in order to receive the fifth signal Sig30, said        second processing circuit 150 being designed to process the        fifth signal Sig30 and provide a second safety control order        able to adopt at least two states:        -   a second start safety control order Sig40_ON, and        -   a second stop safety control order Sig40_OFF, and    -   a logic circuit 160 having:        -   a first binary input L1 connected to the first processing            circuit 50 in order to receive the first safety control            order Sig4,        -   a second binary input L2 connected to the second processing            circuit 150 in order to receive the second safety control            order Sig40, and        -   a second binary output S2 for providing a third safety            control order Sig50.

The third safety control order Sig50 may adopt at least two states:

-   -   a third start safety control order Sig50_ON when the first        safety control order Sig4 provided by the safety control device        1 is a first start safety control order Sig4_ON and when the        second safety control order Sig40 is a second start safety        control order Sig40_ON, or else    -   a third stop safety control order Sig50_OFF when the first        safety control order Sig4 provided by the safety control device        1 is a first stop safety control order Sig4_OFF or when the        second safety control order Sig40 is a second stop safety        control order Sig40_OFF.

The third start safety control order Sig50_ON is given when the firststart safety control order Sig4_ON and the second safety control orderSig40 are provided by the first and second processing circuits 50, 150,respectively. The third stop safety control order Sig50_OFF is provided:

-   -   when the first stop safety control order Sig4_OFF is provided by        the first processing circuit 50, or    -   when the second stop safety control order Sig40_OFF is provided        by the second processing circuit 150.

The second protection circuit 110 is similar to the first protectioncircuit 10,

the second coupler 120 is similar to the first coupler 20,

the second switch 130 is similar to the first switch 30, and

the second processing circuit 150 is similar to the first processingcircuit 50.

The invention also relates to a contactor 100 shown in the form of ablock diagram in FIG. 5a . Said contactor 100 has:

-   -   at least one electrical contact 310 connected to at least one        upstream current line 320 and one downstream current line 330,        said electrical contact 310 being designed to allow the flow of        an electric current between the upstream current line 320 and        the downstream current line 330 to be permitted or blocked,    -   an actuator 2 designed to actuate the at least one electrical        contact 310,    -   a safety control device 1 as described above,    -   a first connection terminal C1 connected to the first connection        point E1 of said safety control device 1, and    -   a second connection terminal C2 connected to the second        connection point E2 of said safety control device 1, the control        signal Sig1 being applied between the first connection terminal        C1 and the second connection terminal C2. The safety control        device 1 thus receives the control signal Sig1 on its safety        control input E.

The safety control device is connected, via the first binary output S1,to the actuator 2 in order to provide a first safety control order Sig4to said actuator 2 in order to control the actuation of the at least oneelectrical contact 310 when the control signal Sig1 is received on itssafety control input E. The safety control device 1 controls theactuator 2:

-   -   so as to execute closure of the at least one electrical contact        310 when the first safety control order Sig4 is a first start        safety control order Sig4_ON, or    -   so as to execute opening of the at least one electrical contact        310 when the first safety control order Sig4 is a first stop        safety control order Sig4_OFF.

According to one preferred embodiment, the contactor 100, shown in theform of a block diagram in FIG. 5b , furthermore has a third connectionterminal C3 connected to the third connection point E3 of the safetycontrol device 1. The validation signal Sig10 is applied between thesecond connection terminal C2 and said third connection terminal C3.

Such a contactor 100 has two safety control inputs: a control signalSig1, applied between the first and the second connection terminal,respectively C1 and C2, received on the control input E of the safetycontrol device 1, corresponds to a start command. A validation signalSig10, applied between the second connection terminal C2 and the thirdconnection terminal C3, received on the validation input V of the safetycontrol device 1, corresponds to validation or authorization of acommand conveyed by the control signal Sig1. The absence of saidvalidation signal Sig10 corresponds to an emergency stop request. Thevalidation signal Sig10 is preferably a continuous voltage interval orstage with an amplitude of between 1 volt and 30 volts.

The safety control device 1 is connected to the actuator via a secondbinary output S2 in order to provide a third safety control order Sig50to the actuator 2, said third safety control order Sig50 being able toadopt two states, as described above:

-   -   a third start safety control order Sig50_ON, or    -   a third stop safety control order Sig50_OFF.

Said contactor 100 is designed such that:

-   -   the safety control device 1 provides a third start safety        control order Sig50_ON to the actuator 2 in order to control the        actuator 2 so as to execute closure of at least one electrical        contact 310 when the first safety control order Sig4 is a first        start safety control order Sig4_ON and when the second safety        control order Sig40 is a second start safety control order        Sig40_ON, or    -   the safety control device 1 provides a third stop safety control        order Sig50_OFF to the actuator 2 in order to control the        actuator 2 so as to execute opening of at least one electrical        contact 310 when the first safety control order Sig4 is a first        stop safety control order Sig4_OFF or when the second safety        control order Sig40 is a second stop safety control order        Sig40_OFF.

The control signal Sig1 is thus validated when the first processingcircuit 50 has validated the compliance of the control signal Sig1 andwhen the second processing circuit 150 has validated the compliance ofthe validation signal Sig10. If either the control signal Sig1 or thevalidation signal Sig10 does not comply, then the contactor 100 will beput into a safe state, corresponding to opening at least one electricalcontact 310, in order to protect personnel and prevent or limit damageto hardware.

Other operating modes of the contactor 100 are possible, in particular amode in which the control signal Sig1 is a pulsed signal of limitedduration and the validation signal Sig10 has a role ofauthorizing/validating said command to close the actuator 2. Thevalidation signal Sig10 is applied first of all or at the same time asthe control signal Sig1, following which the actuator 2 is actuated andat least one electrical contact 310 is closed. Said actuator 2 thenremains actuated even though the control signal Sig1 has disappeared. Bycontrast, as soon as the validation signal Sig10 disappears, theactuator 2 is deactivated, and at least one electrical contact 310 isopened. Such operation may easily be implemented by the logic circuit160.

A contactor 100 may have a single electrical contact 310 connectedbetween an upstream current line 320 and a downstream current line 330,or else two electrical contacts 310 connected between two upstreamcurrent lines 320 and two downstream current lines 330, the twoelectrical contacts 310 being isolated from one another, the upstreamcurrent lines 320 and the downstream current lines 330 also beingisolated from one another, as shown in FIGS. 5a and 5b . A contactor 100may also be designed to operate on a three-phase network and have threeelectrical contacts 310, three upstream current lines 320 and threedownstream current lines 330.

The first processing circuit 50 executes the safety processing method500 in order to process the third signal Sig3 and generate the firstsafety control order Sig4. The second processing circuit 150 alsosimilarly executes the safety processing method 500 in order to processthe fifth signal Sig30 and generate the second safety control orderSig40. Therefore, only the safety processing method 500 performed by thefirst processing circuit 50 is described below.

The safety processing method 500 comprises iteratively counting a numberQ of pulses P forming the third signal Sig3, said pulses P beingprovided by the first receiver circuit 22 during a time interval ofpredefined duration T, as shown by FIG. 6 a.

A first embodiment of the safety processing method 500 is shown in FIG.7a . In an initialization step 510, a first stop safety control orderSig4_OFF is emitted in order to initialize the first safety controlorder Sig4. A first counter Q1 and a second counter Q2 are alsoinitialized. Next, in a counting step 520, the method counts Q thenumber of pulses P received over a predefined time interval T. At theend of counting step 520, there is a step 530 of comparing the number Qof pulses counted with a predefined minimum number of pulses Qmin and apredefined maximum number of pulses Qmax. When the number Q of pulsescounted is outside the interval between the minimum number of pulsesQmin and the maximum number of pulses Qmax, then the method continueswith a step 540 of incrementing the second counter Q2. The secondcounter Q2 is then compared with a predefined invalidation thresholdQinv in a step 550. When the second counter Q2 is equal to or greaterthan the invalidation threshold Qinv, the method considers that thenumber Q of pulses counted is not compliant, and the method returns toinitialization step 510, corresponding to a safe state, and inparticular the first stop safety control order Sig4_OFF is generated. Bycontrast, when the number Q of pulses counted is within the intervalbetween the minimum number of pulses Qmin and the maximum number ofpulses Qmax, then the method continues with a step 560 of incrementingthe first counter Q1. Next, in a step 570, the first counter Q1 iscompared with a predefined validation threshold Qval. When the firstcounter Q1 is less than said validation threshold Qval, then the methodreturns to counting step 520 to execute an additional iteration. Whenthe first counter Q1 is greater than or equal to the validationthreshold Qval, the method continues with a step 580 comprisinggenerating the first start safety control order Sig4_ON andreinitializing the first and second counters Q1 and Q2. The method thenreturns to counting step 520 to execute a new iteration.

A second embodiment of the safety processing method 500 is shown in FIG.7b . The initialization step 510, counting step 520, comparison step530, step of incrementing the second counter Q2 in step 540, step ofcomparison with the invalidation threshold in step 550 and step ofincrementing the first counter Q1 in step 560 are identical. Bycontrast, after said step 560 of incrementing the first counter Q1, asecond counting step 561 is performed, followed by a step 562 ofcomparing the number Q of pulses counted with the minimum number ofpulses Qmin and with the maximum number of pulses Qmax. When the numberQ of pulses counted is less than the minimum number of pulses Qmin orgreater than the maximum number of pulses Qmax, then the methodcontinues with a step 563 of incrementing the second counter Q2, saidsecond counter Q2 then being compared with the invalidation thresholdQinv in a step 564. When the second counter Q2 is equal to or greaterthan the invalidation threshold Qinv, the method considers that thenumber Q of pulses counted is not compliant, and the method returns toinitialization step 510, corresponding to a safe state. When the secondcounter Q2 is less than the invalidation threshold Qinv, the methodreturns to the second counting step 561. When the number Q of pulsescounted in step 562 is between the minimum number of pulses Qmin and themaximum number of pulses Qmax, then the method continues with a step 565of incrementing the first counter Q1 and a new monitoring loop formonitoring the number Q of pulses P received during a time interval T inthe comparison step 566, incrementation step 567 and comparison step568. In particular, in comparison step 568, when the second counter Q2is less than the invalidation threshold Qinv, the method returns to thesecond counting step 561. The second embodiment of the safety processingmethod 500 thus described requires the number Q of pulses P counted intwo successive time intervals T to be within the interval between theminimum number of pulses Qmin and the maximum number of pulses Qmax.Said second embodiment is therefore more exacting than the firstembodiment of the method shown in FIG. 7a , and it is better suited toimplementation in industrial environments subject to significantelectromagnetic interference. Other method variants for counting thenumber of pulses Q and decision criteria for generating the first safetycontrol order may be constructed on the basis of the methods describedabove in order to adapt the method to particular environments.

Preferably, the minimum number of pulses Qmin is between 2 and 5, themaximum number of pulses Qmax is between 3 and 50, the validationthreshold Qval is between 2 and 10, the invalidation threshold Qinv isbetween 2 and 5, and the duration of the time interval T is between 1 msand 10 ms. FIG. 6b illustrates, by way of a timing diagram, an exampleof counting a number Q of pulses P forming the third signal Sig3 and theevolution of the first and second counters Q1 and Q2 over time. In thisexample, Qmin=2, Qmax=3, Qval=3, Qinv=3. At the initial time, the firstand second counters Q1 and Q2 are initialized at zero. In a first timeinterval T, corresponding to a first iteration STEP1, two pulses P arecounted, therefore Q=2, and the first counter Q1 is incremented, Q1=1,since Q is between Qmin and Qmax. In the following period Tcorresponding to the iteration STEP2, three pulses P are counted, andtherefore the first counter Q1 is incremented once more, Q1=2. In thefollowing period T corresponding to the iteration STEP3, a single pulseP is counted, therefore Q=1. The first counter Q1 is not incrementedsince the number Q of pulses counted is outside the interval between theminimum number of pulses Qmin and the maximum number of pulses Qmax, asverified in comparison step 530. By contrast, the second counter Q2 isincremented. In the following period T corresponding to the iterationSTEP4, four pulses P are counted, and the first counter Q1 is notincremented whereas the second counter Q2 is incremented, since thenumber Q of pulses counted is outside the interval between the minimumnumber of pulses Qmin and the maximum number of pulses Qmax. In thefollowing period T corresponding to the iteration STEP5, two pulses arecounted, and the first counter Q1 is incremented and adopts the value 2.In the following period T corresponding to the iteration STEP6, thefirst counter Q1 is incremented since two pulses P are counted in theperiod T. The first counter Q1 reaches the value 3 corresponding to thevalidation threshold Qval chosen in this example, and the command istherefore safe, a first start safety control order Sig4_ON is emitted,the first and second counters Q1 and Q2 are reinitialized at zero andthe method returns to counting step 520 to execute a new iteration.

FIG. 6c illustrates a second example of counting a number Q of pulses Pforming the third signal Sig3 and the evolution of the first and secondcounters Q1 and Q2 over time. At the initial time, the first and secondcounters Q1 and Q2 are at zero. In a first time interval T,corresponding to a first iteration STEP1, two pulses P are counted, andtherefore the first counter Q1 is incremented. In the following period Tcorresponding to the iteration STEP2, a single pulse P is counted. Thefirst counter Q1 is not incremented but the second counter Q2 isincremented, since the number Q of pulses counted is outside theinterval between the minimum number of pulses Qmin and the maximumnumber of pulses Qmax. The same applies in the following period Tcorresponding to the iteration STEP3 since a single pulse P is counted,and the second counter Q2 is equal to 2. In the following period Tcorresponding to the iteration STEP4, two pulses P are counted, and thefirst counter Q1 is incremented, and therefore Q1=2. In the followingperiod T corresponding to the iteration STEP5, there is no pulse P, andthe second counter Q2 is incremented and reaches the value 3 equal tothe invalidation threshold Qinv chosen in this example. The safetycommand is therefore invalidated, and the method returns toinitialization step 510 corresponding to a safe state. The first stopsafety control order Sig4_OFF is generated, the first and secondcounters Q1 and Q2 are reinitialized at zero and the method continueswith counting step 520 to execute a new iteration.

FIG. 6d illustrates a third example in which the number of pulses Qcounted in 3 iterations STEP2, STEP3 and STEP4 is equal to 0. The secondcounter Q2 then reaches the value 3 at the end of the iteration STEP4and the first stop safety control order Sig4_OFF is generated. Thisexample illustrates operation of a safe emergency stop command.

The first counter Q1 thus counts the number of iterations STEP1, STEP2,STEP3, etc. in which the number Q of pulses P is within the interval ofexpected values, and the second counter Q2 counts the number ofiterations STEP1, STEP2, STEP3, etc. in which the number Q of pulses Pis outside the interval of expected values. The response time of such amethod makes it possible to validate a safety control order within aperiod greater than or equal to (Qval×T) after the onset of theoccurrence of the third signal Sig3. For example, when Qval=3 and T=3ms, the response time is greater than or equal to 9 ms, whether for afirst start safety control order or a first stop safety control order.

The safety control device 1 and the safety processing method on whichthe invention is based contribute to monitoring and validating a startor stop command for a contactor so as firstly to avoid any unwantedcommand initialized for example by electromagnetic interference andsecondly to reliably execute an emergency stop request. Galvanicisolation between inputs and outputs is additionally provided by thefirst and the second coupler. Lastly, implementing at least one firstswitch 30 in combination with a pulse generator 40 allows self-controlof the circuits forming the safety control device 1 or of the safetycontrol device 1. Such safety control circuits and the safety processingmethod that they comprise may also be implemented in order to remotelycontrol a circuit breaker or any other safety element. They areparticularly suitable for installations requiring SIL1 certification.

1. A safety control device configured to process a control signal andgenerate a first safety control order, said safety control devicecomprising: a control input having at least a first connection point anda second connection point, said control input being configured toreceive the control signal, a first protection circuit, a first couplerhaving: a first emitter circuit connected in series with the firstprotection circuit, the assembly formed by the first emitter circuit andthe first protection circuit being connected between the firstconnection point and the second connection point, said first emittercircuit being designed to emit a second signal when the control signalis present on the control input, and a first receiver circuit designedto receive the second signal and to provide a third signal formed of atleast one pulse, a first switch connected in parallel across the firstemitter circuit, a pulse generator connected to the first switch anddesigned to cyclically control opening and closure of the first switch,and a first processing circuit connected to the first receiver circuitin order to receive the third signal, said first processing circuitbeing designed to process the third signal and provide the first safetycontrol order, said first safety control order being able to adopt atleast two states: a first start safety control order, or a first stopsafety control order.
 2. The safety control device according to claim 1,wherein the first emitter circuit and the first receiver circuit aregalvanically isolated from one another.
 3. The safety control deviceaccording to claim 1, wherein the first coupler has at least oneoptocoupler, the first emitter circuit having an emitting diode and thefirst receiver circuit having a phototransistor, the emitting diodeemitting radiation that forms a medium for transmitting the secondsignal to the phototransistor through an electrically insulating walltransparent to the radiation.
 4. The safety control device according toclaim 1, wherein the pulse generator generates pulses having apredefined duty cycle less than or equal to 50%.
 5. The safety controldevice according to claim 1, wherein the pulse generator generatespulses at a frequency of between 100 Hz and 10 kHz.
 6. The safetycontrol device according to claim 1, wherein the first protectioncircuit has a current-limiting circuit for limiting the current flowingthrough said protection circuit.
 7. The safety control device accordingto claim 6, wherein the first protection circuit has a current thresholddetection circuit connected to the current-limiting circuit in order tolimit the current flowing through said protection circuit to apredefined maximum intensity when the amplitude of the control signal isgreater than a predefined maximum voltage threshold.
 8. The safetycontrol device according to claim 7, wherein a voltage thresholddetection circuit is connected in series with the first protectioncircuit and the first emitter circuit in order to limit the currentflowing through said emitter circuit to a predefined minimum intensitywhen the amplitude of the control signal is less than a predefinedminimum voltage threshold.
 9. The safety control device according toclaim 1, wherein the first switch is connected in series with the firstprotection circuit and the first emitter circuit.
 10. The safety controldevice according to claim 1, further comprising: a validation inputhaving a third connection point, said validation input being designed toreceive a validation signal, a second protection circuit, a secondcoupler having: a second emitter circuit connected in series with thesecond protection circuit, the assembly formed by the second emittercircuit and the second protection circuit being connected between thethird connection point and the second connection point of the safetycontrol device, said second emitter circuit being designed to emit afourth signal when the validation signal is present on the validationinput, and a second receiver circuit designed to receive the fourthsignal and to provide a fifth signal, a second switch connected firstlyin parallel across the second emitter circuit and connected secondly tothe pulse generator so that said pulse generator cyclically controlsopening and closure of said second switch, a second processing circuitconnected to the second receiver circuit in order to receive the fifthsignal, said second processing circuit being designed to process thefifth signal and provide a second safety control order, said secondsafety control order being able to adopt at least two states: a secondstart safety control order and a second stop safety control order, alogic circuit having: a first binary input connected to the firstprocessing circuit in order to receive the first safety control order, asecond binary input connected to the second processing circuit in orderto receive the second safety control order, and a second binary outputfor providing a third safety control order.
 11. The safety controldevice according to claim 10, wherein the third safety control orderadopts at least two states: a third start safety control order when afirst safety control order provided by the safety control device is afirst start safety control order and when the second safety controlorder is a second start safety control order, or a third stop safetycontrol order when a first safety control order provided by the safetycontrol device is a first stop safety control order or when the secondsafety control order is a second stop safety control order.
 12. Acontactor comprising: at least one electrical contact connected to anupstream current line and a downstream current line, said electricalcontact being configured to allow the flow of an electric currentbetween the upstream current line and the downstream current line to bepermitted or blocked, an actuator designed to actuate the at least oneelectrical contact, a safety control device according to claim 1, saidsafety control device being connected to the actuator in order toprovide a first safety control order to said actuator in order tocontrol the actuation of the at least one electrical contact, a firstconnection terminal connected to a first connection point of said safetycontrol device, and a second connection terminal connected to a secondconnection point of said safety control device, wherein the safetycontrol device controls the actuator: so as to execute closure of the atleast one electrical contact when the first safety control order is afirst start safety control order, or so as to execute opening of the atleast one electrical contact when the first safety control order is afirst stop safety control order.
 13. The contactor according to claim12, wherein the contactor further comprises a third connection terminalconnected to a third connection point of the safety control device, saidsafety control device being connected to the actuator via a secondbinary output in order to provide a third safety control order to theactuator and thus control said actuator: so as to execute closure of theat least one electrical contact when the third safety control order is athird start safety control order, or so as to execute opening of the atleast one electrical contact when the third safety control order is athird stop safety control order.
 14. A method for safely processing athird signal formed of at least one pulse provided by at least a firstreceiver circuit of a safety control device according to claim 1, saidmethod comprising iteratively counting a number of pulses provided bythe first receiver circuit during a time interval of a predefinedduration.
 15. The method for safely processing a third signal accordingto claim 14, wherein a first counter is incremented when a number ofpulses counted during a time interval is between a predefined minimumnumber of pulses and a predefined maximum number of pulses.
 16. Themethod for safely processing a third signal according to claim 15,wherein a first start safety control order is generated when the firstcounter is equal to or greater than a predefined validation threshold.17. The method for safely processing a third signal according to claim15, wherein a second counter is incremented when the number of pulsescounted during the time interval is not between the minimum number ofpulses and the maximum number of pulses.
 18. The method for safelyprocessing a third signal according to claim 17, wherein a first stopsafety control order is generated when the second counter is equal to orgreater than a predefined invalidation threshold.